How to Use Prometheus Blackbox Exporter for Endpoint Monitoring on RHEL 9

November 26, 2025
Linux
Comment off

The Prometheus Blackbox Exporter allows you to probe external endpoints over HTTP, HTTPS, TCP, and ICMP and expose the results as Prometheus metrics. Unlike Node Exporter, which reports what is happening inside a host, the Blackbox Exporter reports whether a service is reachable from the outside — making it ideal for end-to-end availability checks. This tutorial covers installing the exporter on RHEL 9, writing a module configuration, scraping it with Prometheus, and alerting when a probe fails.

Prerequisites

RHEL 9 server with a non-root sudo user
Prometheus already installed and running (scrape interval configured)
Grafana installed for visualization (optional but recommended)
Internet access to download the Blackbox Exporter binary from GitHub

Step 1 — Download and Install the Blackbox Exporter

cd /tmp
BBVER="0.25.0"
wget https://github.com/prometheus/blackbox_exporter/releases/download/v${BBVER}/blackbox_exporter-${BBVER}.linux-amd64.tar.gz
tar xzf blackbox_exporter-${BBVER}.linux-amd64.tar.gz
sudo cp blackbox_exporter-${BBVER}.linux-amd64/blackbox_exporter /usr/local/bin/
sudo chmod +x /usr/local/bin/blackbox_exporter

# Create a dedicated system user (no login shell, no home)
sudo useradd --system --no-create-home --shell /sbin/nologin blackbox_exporter

Step 2 — Write the Module Configuration

Create /etc/blackbox_exporter/blackbox.yml to define the probe modules Prometheus will reference.

sudo mkdir -p /etc/blackbox_exporter
sudo tee /etc/blackbox_exporter/blackbox.yml > /dev/null <<'EOF'
modules:
  http_2xx:
    prober: http
    timeout: 10s
    http:
      valid_http_versions: ["HTTP/1.1", "HTTP/2.0"]
      valid_status_codes: []   # defaults to 2xx
      method: GET
      follow_redirects: true

  http_check_tls:
    prober: http
    timeout: 10s
    http:
      method: GET
      tls_config:
        insecure_skip_verify: false   # enforce valid certs

  tcp_connect:
    prober: tcp
    timeout: 5s

  icmp:
    prober: icmp
    timeout: 5s
    icmp:
      preferred_ip_protocol: ip4
EOF

Step 3 — Create the systemd Service

sudo tee /etc/systemd/system/blackbox_exporter.service > /dev/null <<'EOF'
[Unit]
Description=Prometheus Blackbox Exporter
After=network-online.target

[Service]
User=blackbox_exporter
Group=blackbox_exporter
Type=simple
ExecStart=/usr/local/bin/blackbox_exporter 
  --config.file=/etc/blackbox_exporter/blackbox.yml 
  --web.listen-address=:9115
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl daemon-reload
sudo systemctl enable --now blackbox_exporter
sudo systemctl status blackbox_exporter

# Allow Prometheus to reach port 9115
sudo firewall-cmd --permanent --add-port=9115/tcp
sudo firewall-cmd --reload

Verify the exporter is responding: curl "http://localhost:9115/probe?target=https://example.com&module=http_2xx". You should see probe_success 1 in the output.

Step 4 — Configure Prometheus to Scrape the Blackbox Exporter

The Blackbox Exporter uses a relay pattern: Prometheus passes the target URL as a query parameter, and relabel rules rewrite the job. Add the following to your prometheus.yml under scrape_configs:

  - job_name: 'blackbox'
    metrics_path: /probe
    params:
      module: [http_2xx]
    static_configs:
      - targets:
          - https://example.com
          - https://api.myapp.com/health
          - tcp://db.internal:5432
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - target_label: __address__
        replacement: localhost:9115   # blackbox_exporter address

Reload Prometheus after saving: sudo systemctl reload prometheus. Confirm the targets appear healthy at http://<prometheus>:9090/targets.

Step 5 — Alert on Probe Failure

Add an alerting rule to /etc/prometheus/rules/blackbox.yml so Alertmanager fires when an endpoint goes down:

groups:
  - name: blackbox
    rules:
      - alert: EndpointDown
        expr: probe_success == 0
        for: 2m
        labels:
          severity: critical
        annotations:
          summary: "Endpoint {{ $labels.instance }} is down"
          description: "Blackbox probe has been failing for more than 2 minutes."

      - alert: SSLCertExpiringSoon
        expr: probe_ssl_earliest_cert_expiry - time() < 86400 * 14
        for: 1h
        labels:
          severity: warning
        annotations:
          summary: "SSL cert for {{ $labels.instance }} expires in < 14 days"

Step 6 — Build a Grafana Dashboard

In Grafana, create a new dashboard and add panels using the key Blackbox metrics:

Probe Success Rate: probe_success — display as a stat panel with green/red thresholds (0 = red, 1 = green).
HTTP Duration: probe_http_duration_seconds — time series showing phase breakdown (DNS, connect, TLS, transfer).
SSL Cert Expiry: (probe_ssl_earliest_cert_expiry - time()) / 86400 — days remaining, threshold alert at 14.
DNS Lookup Time: probe_dns_lookup_time_seconds — useful for detecting resolver issues.

Alternatively, import Grafana community dashboard ID 7587 (Blackbox Exporter) for a pre-built layout covering all the above panels.

Conclusion

The Prometheus Blackbox Exporter is now installed on RHEL 9, probing HTTP, HTTPS, TCP, and ICMP targets on a schedule controlled by your Prometheus scrape interval. Alertmanager rules notify your team the moment a probe fails or an SSL certificate approaches expiry, and your Grafana dashboard gives a real-time view of external service availability across all monitored endpoints.

Next steps: How to Configure SNMP Monitoring on RHEL 9, How to Build Grafana Dashboards for Linux Server Metrics on RHEL 9, and How to Install and Configure cAdvisor for Container Monitoring on RHEL 9.